sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
23:36:43,0717217 iexplore.exe 3520 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />
NT\CurrentVersion\Drivers32\wave8 SUCCESS Type: REG_SZ, Length: 2, Data:<br />
23:37:02,2292562 iexplore.exe 3632 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />
NT\CurrentVersion\Drivers32\wave8 SUCCESS Type: REG_SZ, Length: 2, Data:<br />
Figure 26 – Wave8 communications<br />
4.3. Compression and table formats<br />
The file ntcache.dat found among the DAT files contains logs from the inspected target<br />
computer. However, there are references for ntcache.dat as SFS Storage.<br />
STORAGE.SFS.FILES.ntcache?dat.REINITIALIZE_ME<br />
STORAGE.SFS.FILES.ntcache?dat.DELETE_ME<br />
STORAGE.SFS.FILES.lmcache?dat.MAX_SIZE<br />
STORAGE.SFS.FILES.lmcache?dat.BACKUP<strong>sKyWIper</strong><br />
Figure 27 –Winlogon.exe with injected code working with ccalc32.sys - procmon<br />
We present the beginning of the binary format for ntcache.dat below.<br />
0000000000: 02 30 30 30 30 30 30 31 │ 45 5C 30 30 30 30 30 30 ☻0000001E\000000<br />
0000000010: 30 30 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00 00<br />
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000060: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000070: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000080: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000090: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000A0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000D0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000E0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
00000000F0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />
0000000100: 00 96 02 00 00 E6 57 1B │ 5B 5E 88 CC 01 01 00 00 ľ☻ ŠW←[^ł╠☺☺<br />
0000000110: 00 28 01 0A 00 00 00 FF │ FF 00 00 43 00 4D 00 44 (☺◙ C M D<br />
0000000120: 00 02 00 00 00 33 00 0C │ 00 00 00 FF FF 00 00 44 ☻ 3 ♀ D<br />
0000000130: 00 45 00 53 00 43 00 0C │ 00 00 00 42 00 47 00 66 E S C ♀ B G f<br />
0000000140: 00 4C 00 6F 00 77 00 2A │ 00 00 00 FF FF 00 00 52 L o w * R<br />
0000000150: 00 45 00 51 00 55 00 45 │ 00 53 00 54 00 45 00 44 E Q U E S T E D<br />
0000000160: 00 5F 00 46 00 49 00 4C │ 00 45 00 5F 00 4E 00 41 _ F I L E _ N A<br />
Figure 28 – Binary format of ntcache.dat (beginning)<br />
We could not decide if the format is custom or just some strange binary format. A<br />
comparison with ~HLV473.tmp, a file that contains a list of running processes, reveals the<br />
sequences “78 DA ED” and “78 DA 73” standing for a zlib inflate compressed format.<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 34